Gmail Addresses, Website Passwords Leaked Online

CBC

A list of almost five million Gmail addresses and passwords culled from various websites was posted on a Russian online forum Tuesday, according to various reports.

Mashable and other technology news websites reported that the leaked passwords are not necessarily those used to access Gmail accounts but seem to have been compiled from other websites, including some where Gmail addresses were used to register.

Several internet security experts who examined the leaked list, which was posted as a text file to the Russian online forum Bitcoin Security, reported on Twitter that the passwords appear to be several years old.

Danish cybercrime specialist Peter Kruse of the CSIS Security Group tweeted that the leak "likely originates from various sources" and that most of the leaked passwords are more than three years old.

Some Twitter users who reported finding their data on the list said the passwords were outdated or associated with old accounts.

The leak was first publicized in Russian online forums and media, including the popular technology website CNews, early Wednesday and then on a Reddit discussion forum.

Likely not a Gmail security breach

The leak does not appear to have been the result of a Gmail security breach, and not all of the leaked email addresses were Gmail addresses — although the bulk were. Software specialist Troy Hunt tweeted that about 123,000 of the approximately 4.78 million leaked addresses were part of the Russian email service Yandex. Others were reportedly accounts with the Russian-based Mail.ru.

Both of those email services were hit by a separate hack earlier in the week that leaked millions of user addresses, the Russian news network RT reported.

Hunt runs the website Have I been pwned? which allows user to verify whether their data has been compromised through a breach and was in the process of importing the leaked list Wednesday afternoon in order to make the data searchable.

Those worried about the leak can also use the Russian site Is Leaked? to verify whether their Gmail addresses are on the list.

Several security experts said Tuesday's leak was a reminder to internet users to use a two-step verification system when signing into Google services, change passwords frequently and not use the same password across websites and services.

The technology website The Daily Dot reported that Google and Yandex told CNews that the leak was likely the result of years of phishing and hacking efforts but that those did not compromise the companies' databases.